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(57) Abstract 

A cryptographic method is disclosed 
for the issuing and subsequent showing, of 
secret-key certificates, which can be restric- 
tively blinded, and which are similar to DSA 
certificates. The issuing protocol is of a re- 
strictedly blind type, even when executed in 
parallel. An electronic cash system is also 
disclosed, which uses these certificates. Pay- 
ments in the electronic cash system have the 
property of untraceability and can be verified 
off-line. Should a payer manage to break a 
tamper- resistant device, and spend the same 
coin twice, then two payments of the same 
coin suffice to identify the payer. 
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RESTRICTEDLY BLINDABLE CERTIFICATES ON SECRET KEYS 



5 

BACKGROUND OF THE INVENTION 

1. Field of the invention. 

The present invention relates to cryptographic techniques, and more particular to 
systems for issuing and showing of DSA-like secret-key certificates that can be 
10 blinded only restrictively. 

2. Description of the prior art. 

Secret-key certificate systems are described and claimed in US patent application 
Ser. No. 08/321,855, filed October 14, 1994, by the present applicant. Triples 
consisting of a secret key, a corresponding public key and a secret-key certificate on 

15 the public key can only be obtained by engaging in a certificate issuing protocol with 
a Certification Authority. The difference with the technique of public-key certificates, 
well-known in the art, is that pairs consisting of a public key and a secret-key 
certificate on the public key can be generated by anyone without the assistance of the 
Certification Authority. 

20 Mechanisms for transporting digital signatures often require a Certification 

Authority to issue triples, consisting of a secret key, a matching public key, and a 
certificate of the Certification Authority on the public key. Of particular interest for 
privacy-protecting mechanisms for signature transport are so-called restrictive blind 
certificate issuing protocols, in which the receiver can blind the issued public key and 

25 the certificate, but not a predetermined non-trivial predicate of the secret key 

("non-trivial" meaning that the predicate is at least one bit of information); this part 
of the secret key is invariant under any blinding operations that can feasibly be 
applied by the receiver, and hence the Certification Authority can encode information 
into it that cannot be altered. Restrictive blind certificate issuing protocols, and 

30 methods for applying them to privacy-protecting mechanisms for value transfer such 
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as in particular off-line electronic cash, are described and claimed in US patent 
application Ser. No. 08/203,231, filed February 28, 1994, by the present applicant. 

Patent application Ser. No. 08/203,231, filed February 28, 1994, and patent 
application Ser. No. 08/321,855, filed October 14, 1994, describe and claim restrictive 
blind certificate issuing protocols for secret-key certificates based on the Discrete 
Logarithm problem as well as on the RSA problem, both of which are believed in the 
art to be intractable. In particular the security of the described secret-key certificates 
and restrictive blind issuing protocols relies on the security of Schnorr digital 
signatures (see: Schnorr, C, "Efficient Signature Generation by Smart Cards," 
Journal of Cryptology, Vol. 4, No. 3, 1991, pp. 161-174), on the security of 
Guillou-Quisquater digital signatures (see: Guillou, L. and Quisquater, J., "A 
practical zero-knowledge protocol fitted to security microprocessor minimizing both 
transmission and memory," Lecture Notes in Computer Science 330, Proceedings of 
Eurocrypt '88, Springer- Verlag 1989, pp. 123-128), or on the security of other digital 
signatures with similar characteristics, commonly referred to in the art as 
Fiat-Shamir type digital signatures. 

Most of the secret-key certificate issuing protocols described in patent application 
Ser. No. 08/203,231, filed February 28, 1994, and patent application Ser. No. 
08/321,855, filed October 14, 1994, are restrictive blind only when the issuing 
protocol is executed sequentially, in case different blinding-invariant numbers are 
involved. This means that the Certification Authority should send new initial 
information for a next execution of the protocol only after it has received a challenge 
number for the previous execution of the protocol, in case distinct blinding-invariant 
numbers are involved. To enable the Certification Authority to perform executions of 
the issuing protocol in parallel without any limitations, the inventive and generally 
applicable method described in Dutch patent application NL 9500584, filed March 27. 
1995, by the present applicant, can be applied, to immunize against attacks in 
parallel execution mode. 

Patent application Ser. No. 08/321,855, filed October 14, 1994, describes a 
secret-key certificate system based on DSA digital signatures (see: NIST, 
"Specifications for a digital signature standard (DSS)," Federal Information 
Processing Standards Pub. (draft), Aug. 19, 1991). However it is highly unclear how 
an issuer could issue these certificates by means of an efficient restrictive blind issuing 
protocol. A restrictive blind issuing protocol for certificates based on DSA digital 
signatures is not yet known in the art, and neither is a secure protocol for showing 
such certificates. Because DSA signatures have been standardized in the US, and the 
security of DSA signatures is not necessarily dependent on the security of Schnorr or 
other Fiat-Shamir type digital signatures, restrictive blind issuing certificate protocols 
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and showing protocols based on DSA digital signatures are believed to be of 
considerable practical interest, especially if executions of the issuing protocol could be 
performed in parallel without limitation. Privacy-protecting mechanisms for value 
transfer based on such DSA-like certificates are likewise believed to be of practical 
5 relevance. 

OBJECTS OF THE INVENTION 

Accordingly, it is an object of the present invention to allow DSA-like secret-key 
certificates to be issued in a restrictive blind issuing protocol. 

Another object of the present invention is to ensure that executions of the 
10 restrictive blind issuing protocol can be performed in parallel without limitation. 
A further object of the present invention is to allow DSA-like secret-key 
certificates to be shown without revealing the secret key. 

Yet another object of the present invention is to apply DSA-like secret-key 
certificates in the construction of off-line electronic cash systems with untraceable 
15 payments. 

A still further object of the present invention is to allow efficient, economical, and 
practical apparatus and methods fulfilling the other objects of the invention. 

Other features, objects, and advantages of this invention will be appreciated when 
the description and appended claims are read in conjunction with the figures. 

20 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a flowchart of a restrictive blind issuing protocol for DSA-like 
secret-key certificates, in at cordance with the teachings of the present invention. 

Figure 2 shows a Howe hart of a first coin withdrawal protocol based on the 
restrictive blind secret-k'\ certificate issuing protocol of Figure 1. in accordance with 
25 the teachings of the pre>»nt invention. 

Figure 3 shows a flowchart of a first coin spending protocol based on the coin 
withdrawal protocol of Fmun 2. in accordance with the teachings of the present 
invention. 

Figure 4 shows a flowchart of a first coin depositing protocol based on the coin 
30 spending protocol of Figure 3. in accordance with the teachings of the present 
invention. 

Figure 5 shows a flowchart of a second coin withdrawal protocol based on the 
restrictive blind secret-key certificate issuing protocol of Figure 1, in accordance with 
the teachings of the present invention. 
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Figure 6 shows a flowchart of a second coin spending protocol, based on the coin 
withdrawal protocol of Figure 5, in accordance with the teachings of the present 
invention. 

Figure 7 shows a flowchart of second coin depositing protocol, based on the coin 
5 spending protocol of Figure 6, in accordance with the teachings of the present 
invention. 

SUMMARY OF THE INVENTION 

In accordance with these and other objects of this invention, a brief summary of 
the invention is presented. Some simplifications and omissions may be made in the 

10 following summary, which is intended to highlight and introduce some aspects of the 
present invention, but not to limit its scope. Detailed descriptions of preferred 
exemplary embodiments adequate to allow those of ordinary skill in the art to make 
and use this invention will be provided later. 

In an issuing protocol for secret-key certificates, a designated party called a 

15 Certification Authority issues triples. Each triple consists of a secret key, a 

corresponding public key and a certificate of the Certification Authority oh the public 
key. If the issuing protocol is restrictive blind, then a receiver party that obtains such 
a triple can ensure that the public key and the certificate are uncorrected to the view 
of the Certification Authority; but on the other hand the receiver party cannot 

20 dispose of a certain predicate of the secret key, and so the Certification Authority can 
encode information into this predicate of the secret key. This property should 
preferably hold even when executions of the issuing protocol can be performed in 
parallel without limitation. A summary of the forming of secret-key certificates in 
accordance with the present invention follows. 

25 The secret key of the Certification Authority is a pair (x 0 ,y) in lL q x Z 9 , where q 
is a prime number. The symbol 7L q denotes the set of numbers {0, . . . , q - 1}, with 
addition and multiplication defined modulo q. The corresponding public key of the 
Certification Authority is (descr^), g, /i 0 , g u descr(W(-))), whereby G q is a 
multiplicative group containing q elements and descr(G q ) denotes a description of G q 

30 including q\ g is an element of order q in the group G q \ h Q is equal to g Xo ; g x is equal 
to g y \ and descr(7{( )) is the description of a one-way hash-function, preferably such 
that it is substantially infeasible to find collisions. 

A secret-key certificate on a public key h in G q of the receiver party is a pair (r, a) 
in TL q x 2 9 such that a equals (g° /c h r/c ) mod q. Here c is equal to U{h,a), although 

35 in other variations more arguments can be included or a may be left out. A secret 
key of the receiver party corresponding to its public key h is a pair (a lf a 2 ) in 
Z 9 x TL q such that h% x gf 2 equals h. 
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When issuing in a restrictive blind manner triples consisting of a secret key 
(c*i,a2), a corresponding public key h unequal to 1 and a certificate on h, the 
quotient l a 2 mod q, denoted by /, forms the blinding-invariant part of the secret 
key of the receiver party. In the issuing protocol the Certification Authority generates 

5 a random number w 0 in and computes a number a 0 for the receiver party by 
raising g to the power w 0 . The receiver party computes its public key h by raising 
h 0 g[ to a random non-zero power, and computes a challenge number Co for the 
Certification Authority on the basis of h and a blinded form of a 0 . The Certification 
Authority then computes a response, r 0 , by applying its secret key (x 0 ,y) to /, wo 

10 and the provided challenge c 0 ; the response should be such that g a °{hog[) r ° equals 
do 0 . The provided response r 0 , if correct, is enough for the receiver party to compute 
one blinded secret-key certificate on its restrictively blinded public key h. 

By applying inventive methods and techniques of patent application Ser. No. 
08/203,231, filed februari 28, 1994, to this DSA-like secret-key certificate system, 

15 off-line electronic cash systems with untraceability of payments can be constructed, 
as will be demonstrated on the basis of two different embodiments in the detailed 
description. 

DETAILED DESCRIPTION OF THE INVENTION 

While it is believed that the notation of FIGS. 1 to 7 would be clear to those of 

2G ordinary skill in the art, it is first reviewed here for definiteness. 

The flowcharts describe protocols. The actions performed by the parties 
participating in these protocols are grouped together into flowchart boxes. The party 
performing the actions described in a flowchart box is indicated by the column that 
the box is in, and is denoted by a column label. The Certification Authority is 

25 abbreviated by CA, and a receiver party by U. In some cases a plurality of people 
might collectively be thought of as a party, while in other cases a physical device or 
those who control it from time to time may be regarded as a party. Thus the parties 
denoted by single boxes or collections of boxes might sometimes be regarded as 
agents who perform a step or a collection of steps in a protocol. They might also be 

30 regarded as means for performing those steps, and might be comprised of any suitable 
configuration of digital logic circuitry. For example, any box or collection of boxes 
from the figures could be realized by hard-wired and dedicated combinatorial logic, or 
by some sort of suitably programmed machine, a microprocessor for instance, such as 
are well-known in the art, just as long as it is able to perform the storage, 

35 input/output and transformational steps (possibly apart from the random source 
functions) described by the corresponding box or boxes. 
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As is common in the art, for any integer, /, the symbol Z< denotes the set of 
numbers {0, 1}. Addition and multiplication of elements in Z, are defined 
modulo /. The symbol 1L\ denotes the set of numbers in {0, 1} that are 
co-prime to /. Multiplication of elements in ZJ is defined modulo /. Z/ is called a ring 

5 of integers modulo Z, and Z/ is called a multiplicative group of integers modulo /. 

The symbol " denotes assignment, meaning that the variable or symbol on its 
left-hand side is assigned the value on its right-hand side to. Assignments do not 
necessarily imply that storage space must actually be reserved; they may indicate 
intermediate values manipulated in volatile memory. 

10 Another operation is a test for equality, which is indicated by the = symbol. The 
behaviour of a protocol in the case an equality does not hold depends on the 
application for which the protocol is used and is hence often not specified; unless 
explicitly specified otherwise, the protocol can without loss of generality be assumed 
to halt. 

15 The symbol € n indicates that the number, or each of the numbers, on its 

left-hand side is chosen from the ring or group on its right-hand side according to a 
uniform probability distribution, and independent of anything else. In practice 
pseudo-random techniques may be used, and the deviation from independence and a 
uniform distribution may be significant without this necessarily resulting in an 

20 appreciable loss in security. 

Another action is denoted by the word "Send," followed by a colon and a number. 
This indicates that the number is sent by the party performing the actions described 
in the box to the other party participating in the protocol. The directed connections 
between the boxes indicate the order in which the actions that are grouped in the 

25 boxes are performed. 

The forming of DSA-like secret-key certificates will now be described in detail. 
The secret key of the CA is a pair (x 0f y) in Z q x Z 9> where q is a prime number. The 
corresponding public key of the CA is (descr(G 9 ), g, /i 0l g u descr(«(.))), whereby G q is 

30 a multiplicative group containing q elements and descr(G 7 ) denotes a description of 
G q including q\ g is an element of order q in the group G q \ h Q is equal to g x °] g x is 
equal to p^; and descr(7{( )) is the description of a hash-function for which it is 
substantially infeasible to compute inverses. Preferably H{-) is also 
collision-intractable, meaning that it is substantially infeasible to determine distinct 

35 arguments that are mapped by H( ) to the same outcome. Furthermore ?■£(•) should 
preferably not map its arguments to 0. 

The group G q must be such that efficient algorithms are known for multiplying, 
for determining equivalence of elements, and for generating substantially 
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(pseudo-)random numbers. Furthermore no feasible algorithms for computing 
discrete logarithms in G q should be known. Various choices for such groups are 
well-known in the art, such as the unique subgroup of q elements of a group Z* for a 
prime p such that p - 1 is an integer multiple of q y or an elliptic curve of order q over 

5 a finite field, and for this reason no explicit choice for G q is made here. An expression 
such as g y must always be interpreted as a computation in G q . In case computations 
are performed modulo q, such as for example in r 0 «— (x 0 + y I)~ l (c 0 wo — a 0 ) mod q, 
the modulo operator is always shown explicitly. Using this convention the exemplary 
notation {g z/c h r/c ) mod q means that g*l c h rlc is computed in the group G q , and that 

10 the outcome of the computation is subsequently reduced modulo q. 

A secret-key certificate on a public key h in G q of U is a pair (r, a) in lL q x TL q 
such that a equals {g a,c h r f°) mod q. Here c is equal to a). It will be clear to 
those of ordinary skill in the art that the presence of a in 7i(h y a) is not mandatory 
(after all, in the DSA scheme also merely the message is hashed), but its inclusion is 

15 believed to benefit security and should hence be preferable. Of course, other 

information may be included in the hash as well. A secret key of U is a pair (a x , a 2 ) 
in 7L q x 7L q such that h% x g° 2 equals h. 

As will be clear to those of ordinary skill in the art, this definition of secret-key 
certificates is in accordance with the inventive methods and techniques described and 

20 claimed in patent application Ser. No. 08/321,855, filed October 14, 1994, by the 
present applicant. In particular the scheme detailed above is derived from a slight 
modification of the DSA digital signature scheme in accordance with methods 
described in patent application Ser. No. 08/321,855, filed October 14, 1994. In terms 
of the notation used here, the modification is that a DSA signature (r, a) e TL q x 7L q 

25 by the CA on a message m must now satisfy the verification relation 

(g a/c h,Q /c ) mod q = a, instead of (g c/r h' a/r ) mod q = a. Furthermore the DSS, the 
standard for DSA, makes the explicit choice G q C Zp for G q , for a prime p such that 
p — 1 is a multiple of q. 

Turning now to FIG. 1, a flowchart of a restrictive blind issuing protocol for these 

30 DSA-like secret-key certificates will now be described in detail. In the protocol, the 
CA issues triples consisting of a secret key (a l ,a 2 ) ; a corresponding public key /i, and 
a certificate (r, a) of the CA on the public key h. The quotient, erf 1 c*2 mod q, of the 
two numbers in the secret key will be encoded by the CA into the secret key of U 
during the execution of the restrictive blind certificate issuing protocol. This quotient 

35 forms the blinding-invariant part of the secret key, and is denoted by /. The protocol 
is believed to have the desirable property that / cannot be blinded (modulo q) even 
when executions of the protocol are performed without limitation in parallel, by 
many users each having a different /. 
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Box 11, first line, shows the CA generating a random number w 0 in Z,. The 
second line shows the CA computing g wo , for later reference denoted by a 0 . In case 
this number is equal to 0 modulo q the CA generates a new w 0 and a corresponding 
new a 0 , but in practice this event should have negligible probability. As described by 

5 the third line, the CA then sends a 0 to U. 

Box 12, first line, shows U generating a random number i in ZJ; the pair 
(x, Ix mod q) is its secret key, where / is the information the CA encodes into the 
secret key. The second line shows U computing the corresponding public key h, by 
computing (h Q g{) x . As shown by the third line, U also generates two random 

10 numbers s, t in Z,, that will serve to obtain a blinded r and a blinded a. The fourth 
line shows U computing a^(h 0 g{Y, for later reference denoted by a. In case this 
number is equal to 0 modulo q, U generates a new 5 or t and a corresponding new a, 
but in practice this event should have negligible probability. As indicated by the fifth 
line, U then computes K(h,a), denoted by c; here a denotes a mod q. The sixth line 

15 specifies U computing the "challenge" csa Q a~ x mod q, denoted by c 0 . Finally, as 
shown by the seventh line, U sends c 0 to the CA. 

Box 13, first line, shows the CA computing the "response" 
(x 0 + yl)~ l (c 0 w 0 - a 0 ) mod q, for later reference denoted by r„. As described by the 
second line, the CA then sends r 0 to U. 

20 Box 14, first line, shows U verifying whether g ao (h Q g{Y° equals ag°; in a practical 
implementation U could skip this verification for greater efficiency. As described by 
the second line, in case the verification holds U computes x~ l {r a aQ l a + ct) mod q, 
denoted by r. 

As those of ordinary skill in the art can easily verify, the pair (r, a) is a secret-key 
25 certificate on the public key h of U, such that U knows the secret key corresponding 
to (x, Ix mod q). This certificate issuing protocol is believed to be restrictive blind, 
with blinding-invariant number / mod q, even in case the CA allows executions of the 
protocol to be performed in parallel when different blinding-invariant numbers / are 
involved. As will be clear the value h = 1 must be declared invalid, since otherwise U 
30 could take x equal to 0. 

FIGS. 2, 3 en 4 together describe a privacy-protecting off-line electronic coin 
system, in accordance with techniques described and claimed in patent application 
Ser. No. 08/203,231, filed februari 28, 1994. The methods and techniques of patent 
35 application Ser. No. 08/203,231, filed februari 28, 1994, for the coin withdrawal 

protocol are hereto applied to the protocol described by FIG. 1; and the methods and 
techniques for the coin payment protocol are by way of example applied to a digital 
signature scheme that is related to the DSA digital signature scheme. The flowcharts 
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describe a setting whereby U (representing an account holder) obtains from the CA 
(representing a bank) a tamper-resistant computing device. This computing device is 
denoted by the symbol "T" , and it prevents U from spending the same coin more 
than once. In accordance with the preferred embodiments of patent application Ser. 

5 No. 08/203,231, filed februari 28, 1994, all protocols are constructed in such a manner 
that U can moderate all communication between T and the outside world, such that 
no information can leak from T to the outside world and vice versa. Furthermore 5, 
denoting a shop in the payment protocol, and T cannot even develop mutually known 
numbers that are statistically correlated. All manner of variations that satisfy less 

10 stringent privacy criteria can be obtained straightforwardly by modifying the 

protocol, and a simplification not offering prior restraint against double-spending can 
be made by letting U perform the role of T as well. 

Turning now to FIG. 2, a flowchart describing a coin withdrawal protocol in an 
15 off-line electronic coin system, based on the issuing protocol described by FIG. 1, will 
now be described in detail. The number / is uniquely linked to the account of U. It 
has been generated by the CA in a substantially random manner from Z (?T and has 
been stored by the CA into T before providing T to U: it is a secret key of T. The 
number g{ is the corresponding public key of T, and must be known to at least U. 
20 From now on g{ is denoted by /i,. 

The first line of Box 21 shows T generating a random number W{ in Z 9 . The 
second line shows T computing g™\ for later reference denoted by a*. In case this 
number is equal to 0 modulo q A T generates a new Wi and a corresponding new a*, 
but in practice this event should have negligible probability. As described by the 
25 third line, T then sends a r to U. 

Box 22 is the same as Box 11. 

Box 23 resembles Box 12. The first four lines are identical, although now U does 
not know I and hence h { replaces g[. Lines five and six are new. The fifth line shows 
U generating three random numbers u, v, w in Z 7 . Line six shows U blinding the 
30 number a { of T to a^h^g™, for later, reference denoted by 6. In case this number is 
equal to 0 modulo q, U generates a new u, v or w and a corresponding new 6, but in 
practice this event should have negligible probability. Line seven is almost the same 
as line five of Box 12, the difference being that 6 mod q, denoted by 6, is also a part 
of the argument to the hash-function Lines eight and nine are identical to lines 

35 six and seven of Box 12. 

Box 24 is the same as Box 13. 
Box 25 is the same as Box 14. 

The pair (r,a) is a secret-key certificate of the CA on the one-time public key 
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(/i,6) of U and T, such that U and T together, but not U alone, know the secret key 
(x. Ix mod q) corresponding to h, as well as the secret key (u, WiV'x + it; mod q) 
corresponding to b. 

Turning now to FIG. 3, a flowchart describing a coin spending protocol, for 
spending a coin withdrawn in accordance with the flowchart of FIG. 2 to a receiving 
party <S, will now be described in detail. 

The first line of Box 31 shows S sending a specification, denoted by "spec," to U. 
Appropriate formats for "spec" are described in patent application Ser. No. 
08/203,231, filed februari 28, 1994. For example "spec" comprises the identity or an 
account number of <S, and date and time of transaction. It is conceivable that S need 
not supply "spec" to U because U can determine it by itself. 

The first line of Box 32 shows U computing the number U (/i, 5, spec), denoted by 
d. To prevent d from containing privacy-compromising information, U determines a 
blinded form of d. As shown by the second line U hereto computes vdaib' 1 mod q, 
denoted by d { . The third line shows U subsequently sending d { to T. As will be clear 
to those of ordinary skill in the art, d need not necessarily be determined using the 
same hash function, n(-), as that used in FIG. 2, and the choice is merely for 
concreteness. 

The first line of Box 33 shows T verifying whether w { is present in its memory. If 
this is the case and d # 0 mod q, T computes as shown by the second line the number 
Idi + Widi mod q, denoted by r ( . As shown by the third line T then erases Wi from 
memory. Of course, in practice the random number of T can be generated from, say, 
a block-cipher based hash function having suitable pseudo-random properties, and 
then the erasing means that T increments a sequence number to the pseudo-random 
generator from which it has generated w,. Finally T sends the number r { to U, as 
shown by the fourth lint* 

The first line of B*>\ 34 shows U verifying whether the number r { supplied by T is 
correct. If this is thr ray. // computes as shown by the second line the number 
xb + ud mod q, denoted by r,. As shown by the third line U also computes the 
number r i xa~ 1 6+ wd mod q. denoted by r 2 . The fourth line shows U sending to 5 the 
one-time public key (h.hi. ih«. certificate (r,a) and the computed numbers (r x ,r 2 ). 

The first line of Box 35 shows S verifying the correctness of the one-time public 
key. The second and third lines show S verifying the correctness of the certificate 
(r,a). The fourth and fifth lines show S verifying that the responses r x and r 2 of U 
correspond to "spec"; (r u r 7 ) is a digital signature of U (and T) on "spec", with 
respect to the one-time public key (/i, b) of U, It is noted that the security of this 
digital signature is related to that of DSA signatures. In case all verifications by S 
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hold. S accepts the payment. 

Turning now to FIG. 4, a flowchart describing a coin deposit protocol, for 
depositing at the CA a coin spent in accordance with the flowchart of FIG. 3. will 

5 now be described in detail. 

he first line of Box 41 shows S sending to the CA what may be called the payment 
transcript, consisting of (ft, 5), (r, a), and (spec, r h r 2 ). 

Box 42 is largely the same as Box 35. In particular the first five lines are the 
same; the CA verifies whether the payment transcript is correct. As shown by the 

10 sixth line the CA then checks whether h has not already been deposited before, as 

part of the same or another payment transcript. In case h has not yet been deposited, 
the CA credits the account of the party specified in "spec." as shown by the seventh 
line. As shown by line eight the CA stores (/i,5), (spec,ri,r 2 ) in its deposit database. 
Not shown in FIG. 4 are the actions of the CA in case the verification shown by 

15 the sixth line does not hold, meaning that h has been deposited already in an earlier 
stage. In case "spec" for the previously deposited payment transcript is not identical 
to "spec" of the new payment transcript, some party has managed to double-spend 
the coin. The CA can then compute from the already stored challenge, denoted by d', 
and the already stored pair, denoted by (r[, r^), of the old payment transcript, and d 

20 and the pair (r!,r 2 ) of the new payment trancript, the number / belonging to the 
account holder that withdrew the coin. Namely, as can easily be verified by those of 
ordinary skill in the art, / is equal to (r x d f — r / 1 d)~ l (r 2 <i / — r' 2 d) mod q. 

The protocols specified by FIGS. 2, 3 and 4 are based on the use of a DSA-like 
25 signature in the coin payment protocol. Likewise T in the ensemble of coin 

withdrawal and coin spending protocols performs a DSA-like identification protocol, 
which is believed to hide its secret /. As will be appreciated many variations can be 
applied. For example it is not difficult to let T instead perform a Schnorr 
identification protocol, well-known in the art and referenced already in the 
30 background description. In that case the precise manner in which U in Box 23 blinds 
the number a, needs to be adjusted, and also the verification and computation of r 2 
from 7-j, as specified by Box 34, have to be modified. Furthermore one can replace the 
digital signature provided by U and T in the payment protocol by a so-called 
Okamoto signature (see: Okamoto, T.. section 6.1. of "Provably Secure and Practical 
35 Identification Schemes and Corresponding Signature Schemes," Crypto '92, Lecture 
Notes in Computer Science 740, Springer- Verlag (1993), pp. 31-53). Again a few 
minor modifications need to be made. By way of illustration it will now be described 
in detail how both changes can be applied at the same time (T performs Schnorr 
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identification and in the payment protocol an Okamoto signature is provided). 

Turning now to FIG. 5, a flowchart describing an adjusted coin withdrawal 
protocol in an off-line electronic coin system, based on the issuing, protocol described 
5 by FIG. 1, will now be described in detail. The set-up of the protocol is the same as 
described for FIG. 1. 

Box 51 is the same as 21, with the minor difference that a, is now allowed to be 
equal to 0 mod q. 

Box 52 is the same as Box 22. 
10 Box 53 is similar to Box 23. The only difference is in lines six and seven. As 
shown by the sixth line U this time blinds a< to aih%hf v g? instead of to a\ x hlg^\ 
moreover b is allowed to be equal to 0 mod q. In the computation of c 0 , in line seven, 
this time b is incorporated, instead of 6 mod q. 
Box 54 is the same as Box 24. 
15 Box 55 is the same as Box 25. 

Turning now to FIG. 6, a flowchart describing a coin spending protocol, for 
spending a coin withdrawn in accordance with the flowchart of FIG. 5 to a receiving 
party <S, will now be described in detail. 
20 Box 61 is the same as Box 31. 

Box 62 is almost the same as Box 32. The only difference is in the manner in 
which di is computed, in the second line. 

Box 63 is almost the same as Box 33. The only difference is in the manner in 
which r 2 is computed, in the second line, and T need not check that d is unequal to 
25 0 mod q this time. 

Box 64 is almost the same as Box 34. The only difference is in the precise manner 
in which U verifies the correctness of t x and computes the responses r x and r 2 , and in 
the information U sends to S\ the modifications are shown by the four lines. 

Box 65 is almost the same as Box 35. The only difference is in the manner in 
30 which the CA verifies the correctness of the certificate and of r x and r 2 . 

It is noted that S could equally well perform the verification of the certificate by 
verifying whether g^ c h r/c mod q equals a, where c is computed as H{h, h r Q l g\ 2 h~ d , a); 
and the verification of the correctness of (r 1 ,r 2 ) can be performed by verifying 
whether d equals 7i(h, hRg\*hT d , spec). In that case U in Box 64 should send d 
35 instead of 6. 



Turning now to FIG. 7, a flowchart describing a coin deposit protocol, for 
depositing at the CA a coin spent in accordance with the flowchart of FIG. 6, will 
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now be described in detail. 

Box 71 is almost the same as Box 41, the difference being that the payment 
transcript now consists of (r, a), en (spec, r u r 2 ). (As mentioned above, 

alternatively d can be sent instead of in b.) 

5 Box 72 is almost the same as Box 42; the first five lines are now the same as in 

Box 65, and 6 need not be stored in line eight. The action taken by the CA in case h 
has already been deposited before is similar to that described for Box 42. Namely, as 
can easily be verified by those of ordinary skill in the art, / can be computed as 
( r i — r i) -1 ( r 2 ~ r' 2 ) m °d 9) where (r^r^) denotes the already stored pair of the old 

10 payment transcript. 

This concludes the detailed description. While these descriptions of the present 
invention have been given as examples, it will be appreciated that various 
modifications, alternate configurations, and equivalents may be employed without 

15 departing from the spirit and scope of the present invention. For example, there are 
many essentially equivalent orders to evaluate expressions; ways to evaluate 
expressions; ways to order expressions, tests, and transmissions within flowchart 
boxes; ways to group operations into flowchart boxes; and ways to order flowchart 
boxes. The particular choices that have been made here are merely for clarity in 

20 exposition. 

It will be appreciated that all the inventive techniques developed in patent 
application Ser. No. PCT/NL94/00179, filed August 1, 1994, for applying restrictive 
blind issuing protocols in privacy-protecting mechanisms for value transport, such as 
credential mechanisms, can be applied without difficulty to the modified issuing 
25 protocols. 

Certain omissions, variations and substitutions may be apparent to those of 
ordinary skill in the art. Although various such omissions, variations and 
substitutions have been indicated in the text, this may be more fully appreciated in 
the light of the following examples. 
30 In Boxes 25 and 55, and likewise in Boxes 34 and 64, U can omit the verifications 

of r 0 and r, most or even all of the time, since erroneous responses will be detected 
anyway by S at payment time, and hence U can complain to the CA afterwards. 

Also, as detailed in US patent application Ser. No. 08/321,855, filed October 14, 
1994, by the present applicant, the secret key of U with respect to its public key h 
35 can more generally consist of more than exactly two numbers in Z g , by introducing 
extra generators of G q . This enables the CA to encode more than just a single 
blinding-invariant number into h. Specifically, the CA can generate additional 
generators 52, • • ,<7* from G qi where each generator is computed by the CA by raising 
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g to a secret power, generated at random from Z,. Then the public key h of U can be 
defined to be of the form h% x g^ ■ ■ g% k . It will be clear to those of ordinary skill in 
the art how to modify FIG. 1 such that the k numbers, 
(af l a 2 mod q, . . . ,af 'a* mod q), are all blinding-invariant. 

In the definition of a DSA-like secret-key certificate, in the description preceding 
the description of FIG. 1, one may opt to not apply Ti(-) to h, so that c is set equal 
to h instead of 7i{h) or H(h,a). Although it is believed that forging such a secret-key 
certificate on a public key h is infeasible when h must be of the form /i£ l p? 2 , the 
hashing is believed to improve security, as with the DSA signature scheme. 

Furthermore, a secret-key certificate on a public key h in G q of U can be defined 
to be a pair (r, a) in Z, x G q such that a equals g 5 ' c h r f c , where c equals U{h, a); the 
reason for using a mod q instead of a is only for greater storage efficiency of the 
certificate, as with the DSA signature scheme. 

It will also be obvious to those of ordinary skill in the art how parts of the 
inventive techniques and protocols disclosed here can be used to advantage. 
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WHAT IS CLAIMED IS: 

1- A method for an issuer party to issue DSA-like secret-key certificates that can 
be blinded only restrictively, the method comprising the steps of: 

generating by the issuer party, a secret key (x 0 ,y) and a public key 
(descr(G 7 ),£, /i 0 , ffi,descr(7/(-))), whereby: 

q is a prime number; 

G g is a group of order q, in which computing discrete logarithms is 

substantially infeasible but it is easy to multiply, determine 

equivalence of elements and to generate substantially random numbers; 

descr(G <7 ) is a description of G q including q\ 

descr(?-£(-)) is the description of a hash-function U(-) for which 

computing inverses is substantially infeasible; 

x 0 and y are elements of the ring, Z 7 , of integers modulo q; 

g is an element of order q in the group, G q \ 

ho is equal to g x °\ and 

g x is equal to g y \ 

issuing by the issuing party to a receiver party, a secret-key certificate 
(r, a) in 7L q x Z 7 on a public key h in G q for the receiver party, such that 
(g a/c h r/c ) mod q is equal to a, where c is computed by applying ) to at 
least h. 

2. A method as in claim 1. whereby c is computed by applying H(-) to at least h 
and a. 

3. A method as in ( hum 1. whereby a secret key of . the receiver party 
corresponding to tin- public key h is a pair (0:1,0:2) in lL q x Z 9 such that h% x g^ 2 
equals h, and the quotirnt oj"^ mod q is blinding-invariant. 

4. A method as in claim 3. whereby the receiver party, subsequent to the issuing, 
computes a digital signature with respect to a one-time public key that 
comprises ft, and a verifier party verifies the public key h, the secret-key 
certificate (r, a) and the digital signature. 

5. A method as in claim 4, whereby the issuing is used for issuing an untraceable 
electronic coin and the showing is used for off-line spending of the electronic 
coin. 
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